Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Optimal jamming attack strategies and network defense policies in wireless sensor networks


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Optimal jamming attack strategies and network defense policies in wireless sensor networks

  1. 1. Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li Iordanis Koutsopoulos Radha Poovendran Network Security Laboratory Dept. of Computer and Network Security Laboratory Dept. of Electrical Engineering Communication Engineering Dept. of Electrical Engineering University of Washington University of Thessaly University of Washington and Boeing Phantom Works Volos, Greece Seattle, Washington Seattle, Washington Abstract— We consider a scenario where a sophisticated jam- Misbehavior stems from the selfish inclination of wirelessmer jams an area in a single-channel wireless sensor network. entities to improve their own derived utility to the expenseThe jammer controls the probability of jamming and transmis- of other nodes’ performance deterioration, by deviating fromsion range to cause maximal damage to the network in termsof corrupted communication links. The jammer action ceases legitimate protocol operation at various layers. The utilitywhen it is detected by a monitoring node in the network, and a is expressed in terms of consumed energy or achievablenotification message is transferred out of the jamming region. The throughput on a link or end-to-end basis. The first case arisesjammer is detected at a monitor node by employing an optimal if a node denies to forward messages from other nodes sodetection test based on the percentage of incurred collisions. On as to preserve battery for its own transmissions. The latterthe other hand, the network computes channel access probabilityin an effort to minimize the jamming detection plus notification case occurs when a node prevents other nodes from accessingtime. In order for the jammer to optimize its benefit, it needs the channel [1] or from routing messages to destinations byto know the network channel access probability and number selfish manipulation of the access control and routing protocolof neighbors of the monitor node. Accordingly, the network respectively. The work in [2] focuses on optimal detection inneeds to know the jamming probability of the jammer. We study terms of number of required observations to derive a decisionthe idealized case of perfect knowledge by both the jammerand the network about the strategy of one another, and the for the worst-case access layer misbehavior strategy out of thecase where the jammer or the network lack this knowledge. class of strategies that incur significant performance losses.The latter is captured by formulating and solving optimization The framework captured uncertainty of attacks and the caseproblems, the solutions of which constitute best responses of the of intelligent attacker that can adapt its policy to delay itsattacker or the network to the worst-case strategy of each other. detection.We also take into account potential energy constraints of thejammer and the network. We extend the problem to the case of Jamming can disrupt wireless transmission and can occurmultiple observers and adaptable jamming transmission range either unintentionally in the form of interference, noise orand propose a intuitive heuristic jamming strategy for that case. collision at the receiver side or in the context of an attack. A jamming attack is particularly effective since (i) no special hardware is needed in order to be launched, (ii) it can be I. I NTRODUCTION implemented by simply listening to the open medium and The fundamental characteristic of wireless networks that broadcasting in the same frequency band as the network andrenders them vulnerable to attacks is the broadcast nature of (iii) if launched wisely, it can lead to significant benefitstheir medium. This exposes them to passive and active attacks, with small incurred cost for the attacker. With regard to thewhich are different in their nature and objectives. In the former, machinery and impact of jamming attacks, they usually aima malicious entity does not take any action except passively at the physical layer and are realized by means of a highobserving ongoing communication, e.g. eavesdropping so as transmission power signal that corrupts a communication linkto intervene with the privacy of network entities involved or an area. Conventional defense techniques against physi-in the transaction. On the other hand, an active attacker cal layer jamming rely on spread spectrum, which can beis involved in transmission as well. Depending on attacker too energy-consuming to be widely deployed in resource-objectives, different terminology is used. If the attacker abuses constrained sensors. Jamming attacks also occur at the accessa protocol with the goal to obtain performance benefits itself, layer; an adversary either corrupts control packets or reservesthe attack is referred to as misbehavior. If the attacker does not the channel for the maximum allowable number of slots, sodirectly manipulate protocol parameters but exploits protocol that other nodes experience low throughput by not being ablesemantics and aims at indirect benefits by unconditionally to access the channel [3]. The work in [4] studies the problemdisrupting network operation, the attack is termed jamming of a legitimate node and a jammer transmitting to a commonor Denial-of-Service (DoS), depending on whether one looks receiver in an on-off mode in a game-theoretic its cause or its consequences. Other jamming attacks influence the network layer by ma-
  2. 2. licious packet injection along certain routes or the transport probability. With this work, we contribute to existing literaturelayer (e.g. SYN message flooding). In [5] attacks in computer as follows: (i) We derive the optimal attack and defensenetworks are detected by observing the IP port scanning strategies as solutions to optimization problems that are facedprofile prior to the attack and by using sequential detection by the attacker and the network respectively by including intechniques. The work [6] uses controlled authentication to the formulation energy limitations, (ii) for attack detection, wedetect spam message attacks and presents a distributed scheme provide an optimal detection test that derives decisions basedfor the trade-off between attack resilience and computational on the measurable percentage of incurred collisions, (iii) wecost. include in the formulation attack detection and transfer of the Sensor networks are susceptible to jamming attacks since attack notification message out of the jammed area, (iv) wethey rely on deployed miniature energy-constrained devices to formulate optimization problems that capture the impact ofperform a certain task without a central powerful monitoring available knowledge of the attacker and the network about thepoint. Wood [7] provide a taxonomy of DoS attacks for strategies of each other. For the case of lack of knowledge,sensor networks from the physical up to the transport layer. the attacker and the network respond optimally to the worst-The authors in [8] present attacks aimed at sensor network case strategy of the other, (v) we extend the basic model toprotocols and are based on learning protocol semantics such the case of multiple monitoring nodes and varying jammingas temporal packet arrangement, slot size or preample size. In transmission range and suggest a simple efficient jamming[9], low-energy attacks are analyzed, which corrupt a packet by strategy. In the sequel, we use the equivalent terms “attacker”,jamming only a few bits, such that the code error correction ca- “adversary” and “jammer” to refer to the malicious node. Thepability is exceeded. Low Density Parity Check (LDPC) codes rest of the paper is organized as follows. In section II, we stateare proposed as a method to defend against these attacks. The our network and adversary models, and describe the jammingwork in [10] considers passing attack notification messages out detection mechanism. In section III, we formulate jammingof a jammed region by creation of wormhole links between and defense problems and derive the optimal solutions. Wesensors, one of which resides out of the jammed area. Links are conclude our paper in section IV.created through frequency hopping over a channel set either II. M ODELING A SSUMPTIONSin a predetermined or in an ad-hoc fashion. In [11], four typesof jammers, namely constant, deceptive, random, and reactive A. Sensor network modeljammer are studied. The authors use empirical methods based We consider a wireless sensor network deployed over a largeon signal strength and packet delivery ratio measurements area and operating under a single-carrier slotted Aloha typeto detect jamming. In [12], various countermeasures against access control protocol. We assume symmetric transmission,jamming are assessed. Channel surfing involves on-demand namely a node i can receive signal from node j if and only iffrequency hopping in case of an attack and spatial retreat refers node j can receive signal from i. The network is representedto moving away from jamming region. The case of an attacker by an undirected graph G = (S, E) where S is the set ofthat corrupts broadcasts from a base station (BS) to a sensor sensor nodes and E is the set of edges. Time is divided intonetwork is considered in [13]. The interaction between the time slots and the slot size equals the size of a packet. Allattacker and the BS is modeled as a zero-sum game in which nodes are assumed to be synchronized with respect to slotthe attacker selects the number of sensors to jam and the BS boundaries. Each node transmits with a fixed power level Pchooses the sample rate of sensor status. with an omni-directional antenna and its transmission range In this paper we study controllable jamming attacks that R and sensing range Rs are circular with sharp boundary.are easy to launch and difficult to detect and confront, since Transmission and sensing ranges are defined by two thresholdsthey differ from brute force attacks. The jammer controls of received signal strength. A node within transmission rangeprobability of jamming and transmission range in order to of node i can correctly decode messages from i, while a nodecause maximal damage to the network in terms of corrupted within sensing range can just sense activity due to highercommunication links. The jammer action ceases when it is signal strength, but cannot decode a message. Typically, Rs isdetected by the network, namely by a monitoring node, and a small multiple of R ranging from 2 to 3. A node withina notification message is transferred out of the jamming distance R of a node i is called neighbor of i, and theregion. The fundamental tradeoff faced by the attacker is neighborhood of i, Ni is the set of all neighbors of i. Also,the following: a more aggressive attack in terms of higher ni = |Ni | is the size of i’s neighborhood. Transmissions fromjamming probability or larger transmission range increases a node i are received by all its neighbors. Sensor nodes arethe instantaneously derived payoff but exposes the attacker uniformly distributed in a region with spatial density ρ nodesto the network and facilitates its detection and later on its per unit area and the topology is static, i.e, we assume noisolation. In an effort to withstand the attack and alleviate the mobility. Each node has an amount of energy E.attacker benefit, the network adapts channel access probability. Each node has one transceiver, so that it cannot transmitThe necessary knowledge of the jammer in order to optimize and receive simultaneously. All nodes are assumed to beits benefit consists in knowledge about the network channel continuously backlogged, so that there are always packetsaccess probability and number of neighbors of the monitor in each node’s buffer in each slot. Packets can be eithernode. Accordingly, the network needs to know the jamming generated by higher layers of a node or come from other
  3. 3. nodes and need to be forwarded, or they may result from neighbor transmits. The probability of a collision at node i isprevious unsuccessful transmission attempts due to collisionand need to be retransmitted. A transmission on edge (i, j) is θ1 = 1 − Pr{no neighbor transmits} −successful if and only if no node in Nj ∪ {j} {i} transmits Pr{one neighbor transmits while adversary does not}during that transmission. In this work, we consider the class of = 1 − (1 − γ)ni − (1 − q)ni γ(1 − γ)ni −1 .multiple access protocols that are characterized by a commonchannel access probability γ for all nodes in a slot. Each node i If jamming occurs without sensing, the collision probability isuses uni-cast transmission and chooses the destination equally θ1 = (1 − P r{no neighbor transmits})q + θ0 (1 − q)likely, that is, the probability that a packet is transmitted to = θ0 + qni γ(1 − γ)(ni −1) = θ1j ∈ Ni is γ/ni . Provided that it remains silent in a slot, areceiver node j experiences collision if at least two nodes in its Thus, the probability of collision is the same regardless ofneighborhood transmit simultaneously, regardless of whether whether the jammer senses the channel before jamming. Thisthe transmitted packets are destined to node j or to other implies that jamming can be viewed as multiple access amongnodes. Hence, the probability of collision at node j in a a network of ν legitimate nodes, each with access probabilityslot is θ0 = 1 − Pr{only one or no neighbor transmits} = γ and the jammer with access probability q. Nevertheless, by n n −11−(1 − γ) j −nj γ(1 − γ) j . If node j attempts to transmit using sensing, the adversary does not waste energy on emptyat a slot while it receives a message, a collision occurs as well. slots and conserves transmission energy by a factor of 1−(1−In that case, the receiver cannot find out whether the collision γ)ν . For large ν, 1 − (1 − γ)ν ≈ 1, which means that in ais due to its own transmission, or it would occur anyway. dense sensor network, it is very likely that some transmissionHence, in the sequel, collision will refer to the case of multiple occurs at each time. Note however that energy expenditure duesimultaneous transmissions to a node and no transmission to sensing is non-negligible [11]. In the sequel, we will notattempt by that node. Whenever packet collision occurs at consider the energy saving factor 1 − (1 − γ)ν .a receiver, the packet is retransmitted in the next slot if the We focus on different cases of attacker knowledge about thetransmitter accesses the channel again. If a node does not have network, such as full knowledge about network parametersany neighbors, i.e nj = 0, this node does not receive any such as access probability γ and neighborhood size of apackets and does not experience collisions. monitor node or no such knowledge. Different instances of network knowledge about the attacker strategy will be studiedB. Attacker model as well. We consider one attacker in the area, which is not authen- C. Attack detection modelticated and associated with the network. The objective of the The network employs a monitoring mechanism for detectingjammer is to corrupt transmissions of legitimate nodes by caus- potential malicious activity by a jammer. The monitoringing packet collisions at receivers. Intentional collision leads mechanism consists of the following: (i) determination of ato retransmission and thus additional energy consumption subset of nodes M that will act as network monitors, and (ii)for a certain amount of throughput, or equivalently reduced employment of a detection algorithm at each monitor node.throughput for a given amount of consumed energy. The assignment of the role of monitor to a node can be Upon sensing the channel, the attacker transmits a small affected by energy limitations and detection performance spec-packet which collides with legitimately transmitted packets at ifications. In this work, we fix M and formulate optimizationtheir intended receivers. As argued in [9], a jammer beacon problems for one or more monitor nodes.packet of a few bits suffices to disrupt a transmitted packet in We now fix attention to detection at one monitor node. First,the network. The jammer is assumed to have energy resources we define the quantity to be observed at each monitor node. InEm , but the corresponding constraint in the optimization our case, the readily available metric is probability of collisionproblems of the next section can be considered redundant that a monitor node experiences, namely the percentage ofif the jammer adheres to the aforementioned policy. The packets that are erroneously received. During normal networkjammer uses an omni-directional antenna with circular sensing operation, and in the absence of a jammer, we consider a largerange Rms and adaptable transmission range Rm , realized by enough training period in which the monitor node “learns”controlling transmission power Pm . The jammer also controls the percentage of collisions it experiences as the long-termthe probability q of jamming the area within its transmission average of the ratio of number of slots in which there wasrange in a slot, thus controlling the aggressiveness of the a collision over total number of slots of the training period.attack. The attack space is specified by P × (0, 1), where Assume now the network operates in the open after the trainingP is a discrete set of power levels. The attacker attempts to period and fix attention to a time window much smaller thanstrike a balance between short and long-term benefits in the the training period. An increased percentage of collisions overfollowing sense: an aggressive attack increases instantaneous this time window compared to the learned long-term averagebenefit at the risk of being detected faster, while a mild attack may be an indication of an ongoing jamming attack or onlymay prolong the detection time. a temporary increase of percentage of collisions compared Collision occurs at node i if the jammer jams and at least a to the average during normal network operation. A detection
  4. 4. algorithm takes observation samples obtained at the monitor The decision is taken based on the following criteria:node (i.e, collision or not collision) and decides whether thereexists an attack. On one hand, the observation window should Sk ≥ a ⇒ accept H1 ,be small enough, such that the attack is detected on time and Sk < b ⇒ accept H0 , (4)appropriate countermeasures are initiated. On the other hand, b ≤ Sk < a ⇒ take another observation.this window should be sufficiently large, such that the chanceof a false alarm notification is minimized. Thresholds a and b depend on the specified values of PF A The sequential nature of observations at consecutive time and PM , as will be explained in the sequel.slots motivates use of sequential detection techniques. A se- The objective of a detection rule is to minimize the numberquential decision rule consists of (i) a stopping time indicating of required observation samples to derive a decision aboutwhen to stop taking observations, and (ii) a final decision rule existence or not of attack. The detection performance isthat decides between the two hypotheses (i.e, occurrence or not quantified by the average sample number (ASN) E[N ] neededof jamming). A sequential decision rule is efficient if it can until a decision is reached, where the average is taken withprovide reliable decision as fast as possible. The probability respect to the distribution of the observations. From Wald’sof false alarm PF A and probability of missed detection PM identity [14], it isconstitute inherent tradeoffs in a detection scheme, in the E[SN |Hi ] = E[N ] × E[Λ|Hi ], (5)sense that a faster decision unavoidably leads to higher valuesof these probabilities while lower values are attained at the where E[Λ|Hi ] is the expected value of the logarithm ofexpense of detection delay. For given values of PF A and likelihood ratio, conditioned on hypothesis Hi . By using aPM , the detection test that minimizes the average number of similar derivation as the one in [16], we obtain the inequalitiesrequired observations (and thus the average delay) to reach 1 − PM ≥ ea PF A and PM ≤ eb (1 − PF A ). (6)a decision among all sequential and non-sequential tests forwhich PF A and PM do not exceed the predefined values above When the average number of required observations is veryis Wald’s Sequential Probability Ratio Test (SPRT) [14]. When large, the increments Λj of the logarithm of likelihood ratio areSPRT is used for sequential testing between two hypotheses also small. Therefore, when the test terminates with selectionconcerning two probability distributions, SPRT is optimal in of hypothesis H1 , SN is slightly larger than a, while when itthat sense as well [15]. terminates with selection of H0 , SN is very close to b. There- SPRT collects observations until significant evidence in fore, the above inequalities hold with good approximation asfavor of one of the two hypotheses is accumulated. After each equalities. Under this assumption, the decision levels a andobservation at the k-th stage, we choose between the following b that are required for attaining performance (PF A , PM ) areoptions: accept one or the other hypothesis and stop observing, given byor defer decision and obtain another observation k + 1. There 1 − PM PMexist thresholds a and b that aid in the decision. The computed a = ln and b = ln . (7) PF A 1 − PF Afigure of merit at each stage is the logarithm of likelihood ratioof the accumulated sample vector until that stage. Furthermore, due to the above and [14], [16], it is E[SN |H1 ] = In our case, the test is between hypotheses H0 and H1 that aPD + b(1 − PD ), where PD = 1 − PM is the probabilityinvolve Bernoulli probability mass functions (p.m.f’s) with f0 of detection of SPRT. Hence, the average number of samplesand f1 , where fi , i = 0, 1 are defined as p.m.f’s: needed for detecting jamming is E[SN |H1 ] C Pr{Y = 1} = θi = 1 − Pr{Y = 0} (1) E[N |H1 ] = = θ1 1−θ1 (8) E[Λ|H1 ] θ1 log θ0 + (1 − θ1 ) log 1−θ0where Y = 1 denotes the event of collision in a slot. That Observe that the above is a function of q and γ, denoted alsois, H0 means absence of jamming and thus the corresponding by D(q, γ).p.m.f f0 is Bernoulli with parameter θ0 , while H1 correspondsto jamming with a Bernoulli p.m.f f1 with parameter θ1 . III. O PTIMAL JAMMING ATTACK AND DEFENSE POLICIESThe logarithm of likelihood ratio at stage k with accumulated AS SOLUTIONS TO OPTIMIZATION PROBLEMSsamples x1 , . . . , xk is An aggressive attack, namely one with large q has a large f1 (x1 , . . . , xk ) potential to corrupt links in several time slots. Nevertheless, Sk = ln , (2) this attack will be detected relatively fast due to the large f0 (x1 , . . . , xk ) percentage of incurred collisions. Following detection, a noti-where fi (x1 , . . . , xk ) is the joint p.m.f of sequence fication message will be passed out of the jammed region and(x1 , . . . , xk ) based on hypothesis Hi , i = 0, 1. If observation hence it can be assumed that the damage caused to the networksamples are statistically independent, then is mitigated or ceased. On the other hand, a milder attack, k k namely one with smaller q may turn out to be more beneficial f1 (xj ) for the attacker, provided of course that the attacker does not Sk = Λj = ln . (3) j=1 j=1 f0 (xj ) need to jam links urgently. The objective of an adversary is to
  5. 5. increase the total number of corrupted links before the attack The instantaneous payoff for the attacker that jams withis detected and the notification alarm is propagated. probability q after sensing a transmission is The network performance metric is the number of successful UmI (q, γ) = q E[ Y ] = qAm A(ργ)2 e−ργA − e−ρA , (9)transmissions in each slot, namely the throughput. As a firstline of defense the network can select the access probability and is linearly increasing with q.γ so as to (i) increase the number of successful transmission The instantaneous payoff for the network in the absence oflinks under given energy limitations, (ii) “expose” the poten- jammer istially existing jammer by reducing the number of required UI (γ) = E[ Y ] = Am A(ργ)2 e−ργA − e−ρA ,samples to make a decision. Another constraint for the networkis to maintain a certain minimum throughput in the presence which has global maximum with respect to γ. For large enough 2of an attack, if possible. values of ρ, E[ Y ] has a maximum at approximately γ = Aρ . In the presence of a jammer, the instantaneous payoff for theA. Attacker Payoff network is UI (γ, q) = (1 − q)Am A(ργ)2 (e−ργA − e−ρA ). The cumulative payoff UmC for the attacker is the number The payoff of the attacker is measured in terms of number of jammed links until the jammer is detected and the notifi-of incurred corrupted links. The instantaneous payoff of the cation message is transferred out of the jammed area. Havingattacker UmI , is the average number of additionally corrupted assumed a single-channel system, we assume there does notlinks in a slot, not counting those due to legitimate contention. exist a control channel for signalling notification. Hence, theIt depends on jamming probability q and network access transfer of the notification message from the monitor node outprobability γ and is denoted as UmI (q, γ). In order to obtain an of the jammed region in a multi-hop fashion still undergoesanalytic expression for UmI (q, γ), we first find the probability the effects of jamming. Having obtained an expression ofof successful transmission in the absence of jamming. detection time as a function of q and γ, we compute the Since nodes are uniformly distributed with spatial density average time needed for the notification message to be carriedρ, and each node independently transmits with probability γ out of the jammed area. The probability of successful channelat each slot, the transmitters are uniformly distributed with access for a node i on the route of the notification messagedensity ργ and the total number of transmitters in the jammed in the presence of jamming is pa = (1 − q)γ(1 − γ)ni −1 . 2area Am = πRm is Poisson distributed with spatial density Hence, the average waiting time for node i before successfulλ = ργ [17]. Since nodes are continuously backlogged and ∞ transmission is j=1 j(1 − pa )j−1 pa = 1/pa slots. Let thea node cannot transmit and receive at the same time, the average number of hops needed to deliver the alarm out ofpotential receivers are uniformly distributed in the same area area Am be H. Assuming a dense sensor deployment, thewith density ρ(1 − γ). Equivalently, in area A the number of route followed by the notification message can be roughlytransmitters and receivers is Poisson distributed with parameter approximated by a straight line. Then, H ≈ Rm /(2R), namelyAργ and Aρ(1 − γ), respectively. A transmission is successful the average distance of the monitor from the boundary ofif there is no other transmitter in a receiver’s transmission the jamming area divided by node transmission range R. Werange of area A = πR2 and there is at least one receiver in adhere to this approximation since exact calculation of Hthe transmitter’s transmission range of area A. The probability relies on knowledge about network topology and location ofof success of an attempted transmission, ps is the monitor. Such knowledge is rather unrealistic to assume ps = Pr{only one transmitter in area A} for the attacker and even for the network itself. The average time needed for the alarm to propagate out of the jamming ×Pr{at least one potential receiver in area A} area is = ργAe−ργA × 1 − e−ρ(1−γ)A H H W (q, γ) = = , (10) = ργA e−ργA − e−ρA . pa (1 − q)γ(1 − γ)n−1 ¯ where n = ρA − 1 is the average number of neighbors of a ¯ Conditioned on a fixed total number of transmitters X = node along the path. It can be shown that W (q, γ) is convexx, and since each transmission succeeds with probability ps , and monotonically increasing in terms of q. It is also convex inthe number of successful transmission links Y follows the terms of γ and the minimum is achieved at γ = 1−exp[−1/¯ ]. nbinomial distribution with parameters (x, ps ). The conditional The total time until the jamming activity stops is D(q, γ) +mean is E[Y |X = x] = xps . Since the adversary launches an W (q, γ) and becomes infinite in the following cases:attack after sensing a transmission and all transmission links • q = 0, which essentially means no jamming, hence nowithin its range will be corrupted, the payoff for the jammer in difference between normal and abnormal conditions anda slot will be E[Y ]. Recall now that X is Poisson distributed hence infinite detection time.with parameter Am ργ. We have • q = 1, namely the scenario of continuous jamming, where the notification time approaches infinity. E[ Y ] = EX [ EY [ Y |X = x ] ] = EX [ Xps ] • γ = 0, namely the case of absence of network transmis- = ps ργAm sions, where no collision is observed and the detection = Am A(ργ)2 e−ργA − e−ρA . time approaches infinity.
  6. 6. • γ = 1, where all network transmissions fail due to exces- • Case 1: the attacker knows the network policy, namely sive contention regardless of existence of an adversary. the access probability γ and the networks knows theThen, the cumulative reward for the jammer for q > 0 is jamming probability q. • Case 2: Lack of the knowledge above at both sides. UmC (q, γ) = UmI (q, γ)[D(q, γ) + W (q, γ)] Case 1: We start with the attacker’s problem. Since the C = qUI (γ) detection time approaches infinity at q = 0, 1, the solution is θ1 (1−θ1 ) θ1 log θ0 + (1 − θ1 ) log (1−θ0 ) determined by the energy and payoff constraints, which can H be written as: +qUI (γ) . (11) (1 − q)γ(1 − γ)n−1 ¯ q [D(q, γ) + W (q, γ)] ≤ Em /(Pm )The cumulative payoff UmC (q, γ) goes to infinity at q = 0 0 q [D(q, γ) + W (q, γ)] ≥ Um /UmI (γ)and q = 1. For q → 0, the jammer is almost undetectableand the number of disrupted links over an infinite time adds Function F (q) = q(D(q, γ) + W (q, γ)) approaches infinityup to infinity. When q → 1, although the detection time at q = 0 and q = 1 and can be shown to have one minimum inis minimized, the channel is completely occupied by the [0,1]. We omit the proof due to space constraints. Let fmin beadversary and nodes are prevented from accessing it and flag the minimum of F (q). We can distinguish three cases aboutthe attack and hence the damage caused also goes to infinity. the solution: 0Similarly, the cumulative payoff for the network is 1) If Em /Pm < max{Um /UI (γ), fmin }, there exists no feasible solution q. This reflects the fact the attacker UC (q, γ) = (1 − q)UI (γ)[D(q, γ) + W (q, γ)]. (12) cannot cause a certain level of damage due to energyand is increasing with γ. limitations. 0 2) If Em /Pm ≥ Um /UI (γ) ≥ fmin , the energy constraintB. Problem formulation and solution (13) restricts the value of q to an interval [q1 , q2 ], where 1) Constant jamming power and one monitor node: In q1 and q2 are obtained by making the energy constraintthis section we formulate optimization problems to derive an equality. Similarly, the payoff constraint (14) yieldsoptimal strategies from the point of view of the jammer and a range of feasible values for q, (0, q3 ] and [q4 , 1]. 0the network with one designated monitor node. The objective Note that since Em /Pm ≥ Um /UI (γ), the followingfunction is the total delay D(q, γ) + W (q, γ). An adversary must hold: q1 ≤ q3 and q2 ≥ q4 , i.e. the two rangestries to maximize it by controlling q and the network tries of feasible values for q overlap. Hence, the feasibleto minimize it by selecting γ. Both entities select parameters ranges for q are [q1 , q3 ] and [q4 , q2 ]. Since D(q, γ) +subject to energy limitations and payoff threshold constraints. W (q, γ) = F (q)/q and F (q1 ) = F (q2 ) ≥ F (q3 ) = Problem 1: F (q4 ) with q1 ≤ q3 ≤ q4 ≤ q2 , we have F (q1 )/q1 > The attacker problem is: max{F (q2 )/q2 , F (q3 )/q3 , F (q4 )/q4 }, hence q ∗ = q1 . 0 3) If Em /Pm ≥ fmin ≥ Um /UI (γ), the payoff constraint max0<q≤1 D(q, γ) + W (q, γ) (14) is automatically satisfied for q ∈ (0, 1]. Hence the s.t. qPm [D(q, γ) + W (q, γ)] ≤ Em (13) solution q ∗ is defined by the energy constraint. Since 0 UmC (q, γ) ≥ Um (14) F (q1 )/q1 > F (q2 )/q2 , it is q ∗ = q1 .where cumulative payoff UmC (q, γ) is defined in (11). The Combining cases 2 and 3, we have that q ∗ = q1 if Em /Pm > 0 0payoff threshold Um denotes a minimum required payoff for max{Um /UI (γ), fmin }, where q1 is the smallest value of qthe jammer and captures the case where the jammer receives that satisfies the energy constraint (13) with equality. From thebenefit by corrupting communication in a certain time frame. solution, it follows that optimal strategies for the attacker tend The corresponding problem from the network’s point of to be rather mild and long-term.view is: Next, we consider the network problem. The network needs to find access probability γ ∗ that minimizes the detection min0≤γ≤1 D(q, γ) + W (q, γ) plus notification time. Recall that the objective function is s.t. γP [D(q, γ) + W (q, γ)] ≤ E (15) not of finite value at γ = 0 and γ = 1. Similar as before, it can be shown that the total delay has a minimum at UC (q, γ) ≥ U 0 (16) some point γ, γmin . The energy constraint (15) is writtenwhere the network cumulative payoff UC (q, γ) is given by (12) as γ(D(q, γ) + W (q, γ)) ≤ E/P with γ(D(q, γ) + W (q, γ))and U 0 is the payoff threshold for the network. Threshold U 0 being monotonically increasing in γ. Therefore, the energyserves the purpose of avoiding network defense policies with constraint (15) imposes an upper bound on γ, denoted bysmall γ and accounts for the fact that the network aims at γub , which is obtained by making the energy constraint anachieving a certain minimum level of throughput. equality. Meanwhile, the network cumulative payoff UC (q, γ) These optimization problems obtain different twists depend- is also increasing with γ. Hence, the payoff constraint imposesing on the amount of knowledge of the attacker and the a lower bound on γ, γlb . There are now four cases for thenetwork about each other. We distinguish and study two cases: solution:
  7. 7. 4 maximum detection and notification delay x 10 10 4 x 10 minimum detection and notification delay 3.5 9 8 3 7 2.5 D(q*, γ)+W(q*, γ) 6 D(q, γ*)+W(q, γ*) 2 5 4 1.5 3 1 2 0.5 1 0 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 γ q (a1) Attacker: maximum detection and (b1) Network: minimum detection and notification delay for different γ’s. notification delay for different q’s. optimal γ* miniming detection and notification delay with energy and payoff constraints optimal q* maximizing detection and notification delay with energy and payoff constraints 0.4 1 0.8 0.2 0.6 γ* (γ*=−1 indicates no feasible solution) q* (q*=−1 indicates no feasible solution) 0 0.4 0.2 −0.2 0 −0.4 −0.2 −0.4 −0.6 −0.6 −0.8 −0.8 −1 −1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 γ q (a2) Attacker: optimal q ∗ for different γ’s. (b2) Network: optimal γ ∗ for different q’s.Fig. 1. Numerical results for Case 2 of Problem 1 (lack of knowledge by attacker and network about the strategy of each other. Note that q ∗ = −1 (orγ ∗ = −1) in the plots indicate the non-existence of a feasible solution. • If γlb > γub , there exists no feasible solution, since To approximate the solution of the max-min problem above, the network has a high payoff requirement and limited the attacker starts with a large number of M candidate values energy. of γ, γj ∈ [0, 1], j = 1...M . For each γj , the attacker finds ∗ • If γlb < γub and γmin ∈ [γlb , γub ], the optimal solution qj that maximizes D(q, γj ) + W (q, γj ) subject to the con- is γ ∗ = γmin . ∗ straints. The attacker chooses among all the qj ’s the one that • If γmin < γlb < γub , then γ ∗ = γlb , and the solution is ∗ ∗ corresponds to the smallest value of D(qj , γj ) + W (qj , γj ), dictated by the payoff threshold. j = 1...M . Clearly, the approximation of the solution becomes • If γlb < γub < γmin , then γ ∗ = γub and the solution is better with a larger number M . defined by the energy threshold. Along the same lines, the network takes the conservative Case 2: Suppose now that the attacker and the network approach that the attacker performs the optimal attack anddo not know the strategy of each other. One approach for solves the following problem as response to this attack:the attacker is to choose q so as to respond optimally to min0≤γ≤1 max0<q≤1 D(q, γ) + W (q, γ)the worst scenario (for the attacker) of network defense, s.t. γP [D(q, γ) + W (q, γ)] ≤ Enamely to the case where the network selects γ to minimizethe objective function. Admittedly, this approach is rather UC (q, γ) ≥ U 0 .conservative. The attacker payoff in that case is a lower bound The resulting total delay for the network in that case is anon attacker payoffs over all network defense policies. The upper bound on incurred delays over all jamming policies.attacker problem is: We have numerically evaluated the max-min and min-max problems for the following scenario: sensor node transmission max0<q≤1 min0≤γ≤1 D(q, γ) + W (q, γ) range R = 20m, node density ρ = 0.0025, energy constraint s.t. qPm [D(q, γ) + W (q, γ)] ≤ Em E/P = 500 (i.e., a sensor can continuously transmit in 500 0 UmC (q, γ) ≥ Um slots), payoff threshold U 0 = 500 transmissions, attacker
  8. 8. Optimal number of neighbors that minimizes the detection timetransmission range Rm = 200m, energy constraint Em /Pm = 25 01000, target payoff Um = 500, pF A = 0.02 and pD = 0.98.The results are presented in Figure 1. 20 From Figure 1, we obtain the solution for the adversary as q=0.3q ∗ = 0.87 with corresponding total delay of 1.137 × 103 slots. q=0.6 q=0.9The solution for the network is γ ∗ = 0.026 with corresponding 15total delay 3.089×104 . In fact, when q = 0.87 and γ = 0.026, n*D(q, γ) + W (q, γ) = 1.206 × 103 . If the adversary knows 10γ = 0.026, it can choose an optimal q ∗ = 0.828 and causedelay 1.506 × 103 , which is larger than the one obtainedwithout knowledge of γ. In order to incur the largest delay 5subject to energy and payoff constraints, the adversary needsto know γ. On the other hand, if the network knows q = 0.87, 0the optimal γ ∗ is 0.124 which reduces the detection and 0.02 0.04 0.06 0.08 0.1 0.12 0.14 γnotification delay to just 414 slots, which is much faster than Fig. 2. The optimal number of neighbors n to minimize the detection time1.206 × 103 . Note that 414 is faster than the minimum delay vs. γ for three different q’s.1.137 × 103 estimated by the adversary. This can be explainedby the fact that the adversary and the network each solvethe max-min and min-max problems subject to their ownconstraints. Similar problems can be formulated and solved discrete values {Pm,1 , . . . , Pm,L } with probability qj such that L j=1 qj = q. With probability q0 = 1−q the jammer remainswith the cumulative payoff as the objective function. 2) Constant jamming power and several monitor nodes: silent. Without loss of generality and to avoid the trivial solu- LWe now consider the extension for multiple monitor nodes. tion q0 = 1, we let q0 < 1, i.e. 0 < j=1 qj ≤ 1. DifferentDifferent monitor nodes have different perception of the prob- jamming power levels Pj lead to different jamming areas Am,jability of collision under normal conditions due to different with radii Rm,j . Define zone j to be the ring determinedneighborhood sizes and therefore reach a decision as to by Rm,j and Rm,j−1 , i.e. the area covered by power leveloccurrence or not of attack at different times. Nodes can be Pm,j but not Pm,j−1 . The average number of transmissionclassified in different classes C1 , . . . , CK such that nodes in links in Am,j is Tj = Am,j A(ργ)2 (e−ργA − e−ρA ). Weclass Cn have n neighbors, 1 < n ≤ nmax . Clearly, we assume that the network is dense enough such that therewould like to assign the role of monitor to nodes of a class always exists a monitor in each of the zones. A node in zone Lwith n∗ neighbors to minimize detection time. The optimal j perceives jamming with probability =j q . The averageneighborhood size n∗ as a function of γ is depicted in Figure number of hops to traverse zone j based on a previously stated2 for jamming probabilities q = 0.3, q = 0.6 and q = 0.9. assumption is approximately (Rm,j+1 − Rm,j )/2.We observe that as γ increases, n∗ approaches 1, which is the An interesting tradeoff arises here. Monitor nodes locatedcase of a monitor with only one neighbor. This is explained in outer zones perceive lower jamming probability and henceas follows: when γ is not small, multiple neighbors can cause the detection time can be large. However, they are close tocollision, thus negatively affecting detection delay. When γ is the boundary of the jammed area and thus they can pass asmall, a larger number of neighbors are needed in order for notification message out of the area in fewer hops, namelythe monitor to observe collision. faster. Monitors located in inner zones experience a more The attacker would like to choose its strategy so as to bal- aggressive attack and can detect it faster, but they delay inance the detection delays of different monitors. For sufficiently passing the message out of the jammed area. The goal oflarge values of γ, we concluded above that it needs to focus the attacker is to find jamming strategy so as to maximizeonly on the class C1 . When γ is small, e.g. γ < 0.05, the the detection plus notification delay. The strategy consists indetection delay balancing problem is meaningful and can be choosing vector (q, {qj }j=1,...,L ). We now show a simple andstated as: intuitive heuristic for the attacker. For ease of notation, denote Problem 2 ¯ detection and notification times by D(q) and W (q, R), where R¯ is the average distance of a monitor from the boundary of max min D(q, γ, Ci ), the jammed region. Symbolize Rm,j by Rj . 0<q≤1 i∈{1,...,K} The algorithm goes as follows: start by jamming the largestwhere we stress dependence of detection delay on different region, solve problem maxqL D(qL , γ)+W (qL , RL /2) subjectmonitor classes. Since detection time is decreasing in q regard- ∗ to the constraints, and find qL = q. Let a be the maximumless of number of neighbors, the smallest feasible q imposed value of the objective function. Assume now two power levelsby the energy constraint is the solution for the attacker. with ranges RL−1 and RL . Solve: 3) Controllable jamming power and several monitor nodes:We now consider the problem where the jammer can choose RL−1 RL − RL−1transmission power level Pm,j out of a set of L ordered max D(qL−1 )+W (qL−1 , )+W (q−qL−1 , ), qL−1 2 2
  9. 9. where the notification terms are the required time for a monitor probability to extend detection time. Likewise, the network canin the inner circle to pass the alarm through the two zones. adapt channel access probability. Finally, the issue of multiple,Let the optimal value be a1 . Compare with the detection plus potentially co-operating attackers gives a whole new flavor tonotification time required for a monitor in the outer zone, these problems and is worth further attention. max D(q − qL−1 ) + W (q − qL−1 , (RL − RL−1 )/2) ACKNOWLEDGMENTS qL−1 This work is supported in part by the following grantsand let the optimal value be a2 . Then, max{a1 , a2 } is the ONR N00014-04-1-0479 and ARO PECASE W911NF-05-1-total delay for two power levels. If max{a1 , a2 } > a, the 0491. This document was prepared through the collaborative ∗ ∗attacker adopts strategy (qL , qL−1 ), otherwise it uses strategy participation in the Communication and Networks Consortiumq. Continuing in that fashion, the attacker adds more power sponsored by the U.S. Army Research Laboratory under thelevels to its strategy if this is beneficial. Collaborative Technology Alliance Program DAAD19-01-2- We solved numerically the problem with ρ = 0.0025, 0011. The U.S. Government is authorized to reproduce and 0R = 20m, Um = 500, L = 2 power levels with ranges distribute reprints for Government purposes notwithstandingRm,1 = 100m and Rm,2 = 200m, and Em /Pm,1 = 1000, any copyright notation thereon. The views and conclusionsEm /Pm,2 = 2000. We also assumed different minimum contained in this documents are those of the authors and shouldnumber of neighbors per zone. In zone 1, the minimum number not be interpreted as representing the official policies, eitherof neighbors of monitors is 2 and in zone 2 it is 7. The network expressed or implied, of the Army Research Laboratory or thetransmission probability γ = 0.3 is known to the attacker. We U.S. Government.consider the following scenarios: (i) the adversary knows the I. Koutsopoulos acknowledges support of the Europeanneighborhood of monitors (ii) the adversary has no knowledge Commission NoE CRUISE (IST-4-027738) and the Marieof monitor locations and neighborhoods, hence it uses the Curie Grant SAINT-W (IRG-017267).average number of neighbors ρπ ∗ R2 − 1 = 2 in finding R EFERENCESthe optimal qj ’s. For case (i) the optimal jamming strategy is ∗ ∗ [1] P. Kyasanur and N. Vaidya, “Selfish MAC layer misbehavior in wirelessq1 = 0, q2 = 0.07, which yields the detection and notification networks,” IEEE Trans. Mobile Computing,, vol. 4, no. 5, Sept./Oct. 2005.delay 1.33 × 105 . For case (ii) the jamming strategy is q1 = ∗ [2] S. Radosavac, I. Koutsopoulos and J.S. Baras, “A framework for MAC ∗0.02, q2 = 0, i.e. to jam only the smaller zone, zone 1. The protocol misbehavior detection in wireless networks,” in Proc. ACM Workshop on Wireless Security (WiSe), 2005.detection and notification delay is 1.05×105 , which is less than [3] R. Negi and A. Perrig, “Jamming analysis of MAC protocols,” Carnegiethe delay the attacker can cause with full knowledge. From Mellon Technical Memo, 2003.the numerical solutions for different γ’s, we observed that the [4] R. Mallik, R. Scholtz, and G. Papavassilopoulos, “Analysis of an on-off jamming situation as a dynamic game,” IEEE Trans. Commun., vol. 48,optimal solution without knowledge of monitor neighborhood no. 8, pp. 1360-1373, Aug. to jam the inner region. The theoretical proof or disproof [5] J. Jung, V. Paxson, A.W. Berger and H. Balakrishnan, “Fast portscanof this observation is deferred for future study. detection using sequential hypothesis testing,” in Proc. IEEE Symposium on Security and Privacy, 2004. [6] V. Coskun, E. Cayirci, A. Levi, and S. Sancak, “Quarantine region scheme IV. C ONCLUSIONS to mitigate spam attacks in wireless-sensor networks”, IEEE Trans. on Mobile Computing, vol. 5, no. 8, pp. 1074-1086, August 2006. We studied controllable jamming attacks in wireless sensor [7] A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,”networks, which are easy to launch and difficult to detect and IEEE Computer, vol. 35, no. 10, pp. 54-62, 2002.confront. The derived solutions to the optimization problems [8] Y. W. Law, L. van Hoesel, J. Doumen, P. Hartel and P. Havinga, “ Energy- efficient link-layer jamming attacks against wireless sensor network MACdictate optimal attack and network defense strategies. Of par- protocols,” in Proc. ACM Security Sensor Ad-hoc Networks (SASN), 2005.ticular interest is the comparison between the case of perfect [9] G. Lin and G. Noubir, “On link-layer denial of service in data wirelessknowledge and that of lack of knowledge of the attacker and LANs,” Journal on Wireless Comm. and Mob. Computing, August 2004. [10] M. Cagalj, S. Capkun, J.-P. Hubaux, “Wormhole-based anti-jammingthe network about the strategy of each other. In the latter, the techniques in sensor networks,” IEEE Trans. on Mobile Computing, vol.attacker and the network respond optimally to the worst-case 6, no. 1, pp. 100-114, Jan. 2007.strategy of the other. [11] W. Xu, W. Trappe, Y. Zhang and T. Wood, “The feasibility of launching and detecting jamming attacks in wireless networks,” Proc. ACM Mobi- Our work is a first step towards understanding the structure Hoc, 2005.of these problems, identifying tradeoffs and capturing the [12] W. Xu, T. Wood, W. Trappe and Y. Zhang, “Channel surfing and spatialimpact of different parameters on performance. There exist retreats: defenses against wireless denial of service,” Proc. Workshop on Wireless Security (WiSe), 2004.several directions for future study. Interesting issues arise [13] J. M. McCune, E. Shi, A. Perrig and M. K. Reiter, “Detection of denial-in multi-channel networks. In that case, the defense strategy of-message attacks on sensor network broadcasts,” Proc. IEEE Symposiumspace has an additional dimension, channel switching, while on Security and Privacy, 2005. [14] A. Wald, Sequential Analysis, Wiley 1947.the jammer has higher energy costs when jamming more [15] Vladimir P. Dragalin, A. G. Tartakovsky and V. V. Veeravalli. “Mul-channels. Another interesting issue is to find alternatives tihypothesis Sequential Probability Ratio Tests - Part I: Asymptoticfor modeling lack of knowledge for the attacker and the optimality,” IEEE Trans. Inf. Theory, Vol. 45, No. 7, Nov. 1999. [16] C. W. Helstrom, Elements of signal detection and estimation, pp. 339-network. An idea would be to average over all strategies 340, Prentice-Hall, 1995.of the opponent. More enhanced versions of attacks can be [17] A. M. Mathai, An introduction to geometrical probability, Gordan andconsidered, such as the one with dynamic control of jamming Breach Science Publishers, 1999.